With widespread application of intelligent terminals and rapid development of the Internet, security of a terminal system becomes one of issues that people mainly pay attention to. Currently, common security monitoring for the terminal system mainly includes two manners. One is real-time monitoring: a triggered system event is captured in real time by security software; risk determining is performed; and a risk behavior is informed in time when a risk happens, which has a high sensitivity. The other is static scanning: a system file is scanned by means of human active triggering of security software; and virus scanning and killing is implemented, which has a strong scanning capability and can capture all risks on a terminal.
However, there are still some drawbacks in these two defense manners. Although the real-time monitoring can instantly inform a user when a risk happens, a message box pops up regardless of a harmful degree of the risk, and too many popup windows easily cause troubles for the user. Moreover, the real-time monitoring can only perform notification and processing on a detected malicious behavior triggered, and another malicious program that is related to the malicious behavior but is not triggered yet cannot be completely removed. However, although the static scanning has a strong scanning and killing capability, a user is required to manually start or set a function of timing starting of static scanning, which has a low relevance to a malicious behavior detected in real time.